(a) Field of the Invention
The present invention relates to a system and method for detecting and preventing network intrusion. More specifically, the present invention relates to an in-line mode system and method for detecting network intrusion and hacking and preventing the same.
(b) Description of the Related Art
Recently, as computers and Internet usage have become popularized, network intrusion and hacking patterns have also quickly progressed, and these kinds of hacking that have benumbed the networks have generated serious economical loss such as suspension of electronic commerce services, as well as social disorders caused by suspension of Internet services.
An IDS (intrusion detection system) is accordingly required that copes with steep increase of network bandwidths and attacks by hackers and that has a more advanced hardware and software configuration.
Conventional IDSs are classified as host IDS products and network IDS products.
The host IDS products use an auditing system or event logs to protect a terminal system such as a server and a personal computer, and network applications.
The network IDS products monitor network traffic to detect attacks and intrusion and prevent hackers' attacks. Nowadays, the network IDS products are developed by concentrating on one of following three categories: signature detection, anomaly detection, and denial of service detection.
The hackers attack the networks by using attacking methods that were successfully utilized in the past. These attacks are analyzed by producers of network security products, and detailed profiles or attack signatures are generated through the analysis.
The attack signature detecting technique checks attack fingerprints within the network traffic, and compares them with known signatures to thereby detect network attacks or intrusions. When the attack signatures are checked within the input traffic, a security system generates an alarm signal or a warning signal so that a network manager may recognize the attack signatures.
The frequently used firewalls check specific fields such as an IP address or a port address within a packet head so as to determine whether to prevent input packets or allow them to pass. Therefore, it is impossible to detect the signatures within the traffic.
In addition, products by Snort are network IDS products that use a lipcap to detect the signatures located at random positions within the packets.
However, the products by Snort are only realized as software, and hence it is impossible to keep up with the network bandwidths increased by the network rates which gradually become faster. That is, it is impossible for the products by Snort to catch up with gigabit Internet interface rates in consideration of technical developments of general-purpose processors or connections of subsystems such as memories.
Therefore, some network IDS products have attempted improvements of performance by using an ASIC (application specific integrated circuit) type hardwired accelerator for exclusive use in order to cover the further increased bandwidths.
These attempts solve the performance problem, but have a difficulty in fluently meeting protocol modifications or diverse variations of attack patterns. In other words, the ASIC development cycles have many difficulties in appropriately coping with the fast changes of network intrusion.
Accordingly, it is required to provide a system and method for detecting network intrusions that change quickly.